0

I have been tasked with building a mobile app that requires users to login to a 3rd party service via OAuth2 to obtain some data about them. This mobile app also requires its own backend database storage via a webservice and access to this needs to be secured by user.

I understand the usage of OAuth2 in gaining permission to access 3rd party APIs, but I am less clear on using 3rd party authentication as the basis to secure my own webservice.

Many, many mobile apps use 3rd party social logins like Facebook as ways to offload the authentication process to a separate provider. I see the benefits of this, such as not needing to ever receive a users password. This post details the exact use case I was looking at

I also read many posts on here and elsewhere that say "OAuth2 is not authentication."Example and Example

Further, the particular OAuth2 provider I am using does not return any unique user identifier I can use as a key for a user record in my database, only OAuth2 tokens and non unique user data.

This leads me to think that OAuth2 isn't really about offloading authentication to an oAuth provider at all: it is purely about gaining authorisation to access 3rd party APIs.

Are all of these 100s of mobile apps using OAuth2 social logins in place of their own authentication actually misusing OAuth2? Should my app have its own authentication and store the users credentials aside from requiring a social login to access their social information?

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Mr. Lane
  • 3
  • 1

1 Answers1

1

You are correct that oAuth2 only gives your application permission to act on the user's behalf in their API. oAuth2, by itself, has nothing to do with authentication.

If the third party API has any sort of request that gives you a unique ID for the user that you're working on, then their API can be used as a form of authentication, with the caveat that you're putting your trust in authentication into a system that you don't have control over, and a reminder that authentication is not authorization. (Just because they showed a valid ID card doesn't mean they're allowed to walk into your bank vault.)

But yes, oAuth is only concerned with letting you use the third party API on a user's behalf; it has nothing to do with the accuracy and security of that API beyond identifying you as acting on behalf of the user.

As far as whether or not your application should use their API for authentication, I suggest doing a risk assessment. There really isn't enough information in your question for us to inform you of any known risks, as we don't know how sensitive your data is (will people try to steal your users' accounts?), or how secure the third party's API is.

Ghedipunk
  • 5,766
  • 2
  • 23
  • 34
  • Thanks for this. I have decided that we will implement our own authentication using OWIN/JWT and store a username and hashed password in our own database and purely use OAuth2 for 3rd party API access. I am too worried about the lack of a stable key to match our user record to that of the users 3rd party info and also the possibility of a requirement change to allow the user to switch to or add another 3rd party API login in the future. These are APIs that allow access to physical device data and users may change device providers or have more than one at a time. – Mr. Lane Feb 01 '19 at 05:11